aboutsummaryrefslogtreecommitdiff
path: root/src/routes
Commit message (Collapse)AuthorAgeFilesLines
* fix(api): await setShadowHidden in badges PUTFuwn2026-04-181-1/+4
| | | | | | | setShadowHidden is async and hits Supabase. The PUT handler called it without await, so the handler could respond before the database write landed (and any error was silently lost). Add the missing await so the response only goes out after the update settles.
* fix(api): drop unused redirect query param from oauth refreshFuwn2026-04-181-3/+1
| | | | | | | | | | | | The refresh endpoint accepted a ?redirect query param and, when present, called redirect(303, "/") instead of returning the refreshed token as JSON. The target was hardcoded to "/" regardless of the param's value, so the feature was dead — and the pattern of reading a "redirect" param invited future open-redirect bugs if someone wired the value through to redirect() directly. The sole in-tree caller (feeds/activity-notifications) reads the JSON response, so always return JSON and drop the redirect import.
* fix(api): gate badge click-count on Origin and fix 401 response reuseFuwn2026-04-181-9/+11
| | | | | | | | | | | | | The PUT ?incrementClickCount path ran before any auth guard, letting unauthenticated callers spam-increment arbitrary badges. Require the request Origin to match appOrigin() so legitimate in-browser clicks (authenticated or not) still count while direct scripted calls are rejected. Also convert the shared `unauthorised` Response singleton into a factory. The singleton's body was consumed on first use, so subsequent 401 paths returned a `Response body is locked` error instead of the intended "Unauthorised" body.
* fix(api): encode subsplease timezone to prevent query-param injectionFuwn2026-04-181-5/+6
| | | | | | | The `tz` query value was interpolated raw into the upstream URL, letting callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the value in encodeURIComponent and rename the local variable away from the banned `tz` abbreviation.
* fix(ui): balance homepage media panelsFuwn2026-04-121-62/+220
|
* revert(ui): remove april fools executive modeFuwn2026-04-023-99/+22
|
* fix(ui): tune april fools notification copyFuwn2026-04-011-1/+1
|
* fix(ui): simplify april fools controlsFuwn2026-04-011-15/+52
|
* feat(ui): add april fools executive modeFuwn2026-04-013-22/+62
|
* fix(badges): hide outbound link noticeFuwn2026-04-011-1/+1
|
* fix(state): restore persisted list UI stateFuwn2026-03-282-4/+6
|
* fix(cache): preserve hydrated client stateFuwn2026-03-281-1/+2
|
* fix(auth): ignore malformed user cookiesFuwn2026-03-286-24/+54
|
* fix(api): keep preferences publicly readableFuwn2026-03-271-4/+1
|
* fix(profile): restore owner controls for new accountsFuwn2026-03-272-21/+41
|
* refactor(supabase): move app access to service roleFuwn2026-03-272-40/+56
|
* fix(actions): resolve quality and trigger deploy driftFuwn2026-03-221-6/+8
|
* perf: lazy-load authenticated list surfacesFuwn2026-03-222-25/+145
|
* refactor: centralise site origin usageFuwn2026-03-2211-61/+44
|
* refactor(effect): add request body schema decoders to api routesFuwn2026-03-034-5/+36
|
* refactor(effect): migrate api auth cookie decodingFuwn2026-03-034-57/+18
|
* refactor(effect): migrate core auth decode boundariesFuwn2026-03-032-18/+6
|
* chore(cleanup): remove stale eslint directivesFuwn2026-03-012-3/+0
|
* chore(biome): drop formatter style overridesFuwn2026-03-0153-1463/+1597
|
* chore(biome): re-enable noImplicitAnyLet ruleFuwn2026-03-0111-11/+22
|
* chore(biome): enable svelte lintingFuwn2026-03-012-3/+3
|
* chore(biome): enable svelte formattingFuwn2026-03-0121-955/+954
|
* chore(biome): re-enable noDoubleEquals ruleFuwn2026-03-011-1/+1
|
* chore(types): decouple app code from fragile generated route typesFuwn2026-03-011-1/+1
|
* perf: optimise list hot paths and shared timersFuwn2026-03-013-9/+9
|
* fix: Resolve all ESLint errors and warningsFuwn2026-01-298-12/+12
|
* feat(Landing): Update to match LandingHeroFuwn2026-01-281-5/+1
|
* feat: Add hero for landing and welcome pageFuwn2026-01-272-0/+11
|
* feat(+layout.svelte): Add Web AnalyticsFuwn2026-01-261-0/+3
|
* fix: Add null guards and improve error messaging for user lookupsFuwn2026-01-234-6/+27
|
* fix: Resolve unused imports, dead code, and type definitionsFuwn2026-01-231-1/+0
|
* refactor: Migrate event handlers to new Svelte 5 syntaxFuwn2026-01-2310-39/+39
|
* refactor(layout): Replace empty p elements with reusable Spacer componentFuwn2026-01-2312-39/+51
|
* fix(html): Replace self-closing non-void HTML elements with proper closing tagsFuwn2026-01-2311-38/+38
|
* fix(notifications): Replace svelte-notifications with custom store for Svelte 5Fuwn2026-01-221-4/+3
|
* format: Apply Prettier formattingFuwn2026-01-221-7/+21
|
* deps(svelte): Migrate to Svelte 5 with compatibility modeFuwn2026-01-221-3/+8
|
* deps(sveltekit): Migrate to SvelteKit 2Fuwn2026-01-222-2/+2
|
* format: Apply Prettier formattingFuwn2025-12-1511-67/+50
|
* fix(api:birthdays): Update HTML parser for primary sourceFuwn2025-12-071-3/+3
|
* fix: Throw redirectsFuwn2025-12-012-2/+2
|
* feat(badges): Add a no-load query parameterFuwn2025-09-061-8/+15
|
* style(src): Remove self-closing tags with attributesFuwn2025-06-231-2/+2
|
* style(src): Remove self-closing p and div tagsFuwn2025-06-2312-39/+39
|
* refactor(LastActivity): Move display guard to componentFuwn2025-06-141-3/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 15:54:14 +0000